Installing SSL certificate causes the server to fail when restarting

Question

I received my certificate by email and then created the necessary files and copied it over. I went to restart my server and received the following errors.

[Wed Feb 08 13:02:06 2012] [error] Init: Unable to read server certificate from file /home/sslcertificates/mydomain.crt [Wed Feb 08 13:02:06 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Feb 08 13:02:06 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

Does anyone have any ideas?

Answer 1

I just faced a similar issue.

I was given multiple versions of the certificates by the person in charge of this. However, the certificate I installed started with -----BEGIN PKCS7----- and ended with -----END PKCS7-----

After realizing this, I searched for the one starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----

PKCS7 is Base64-encoded.

Answer 2

(Linux Solution) This has been posted a long time ago - but I have another way to troubleshoot this problem: Change the error logging to a more verbose mode by editing /etc/apache2.conf and find this block:

#
# LogLevel: Control the severity of messages logged to the 
error_log. 
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn

and change LogLevel to something lower - I chose trace1. Then restart apache:

sudo service restart apache2

I received the same error message but when I went to the error log in /var/log/apache2/error.log there were many more error messages to help troubleshoot the problem. I was able to determine I was pointing the key file descriptor to the wrong file.

Be sure to change the apache2.conf back to warn and restart the apache2 service after troubleshooting to avoid your error.log file from becoming too large.

Answer 3

Situation: Apache 2.4 using the StartSSL cert generating ASN encoding error

Issue:

AH02564: Failed to configure encrypted (?) private key <domain>.com:80:0, check /etc/pki/tls/certs/ssl.key

Some SSL issuers encrypts the ssl key files by default so make sure decrypt it at the server and point it from Virtual Host.

Simply echo the key file to make sure it is not encrypted.

Decrypt the key file for the mod_ssl

openssl rsa -in ssl.key -out ssl.key

For SSL config in the Apache conf (httpd.conf) add the following configurations and restart the Apache.

# SSL
<VirtualHost *:443>
    ServerName gajen.com
    SSLCertificateKeyFile /etc/pki/tls/certs/ssl.key
    SSLCertificateFile /etc/pki/tls/certs/ssl.crt
    SSLCertificateChainFile /etc/pki/tls/certs/root.ca.pem
</VirtualHost>

For troubleshooting:

• Debug the Apache first tail 50 /var/log/httpd/error_log
• Debug the mod_ssl tail 50 /var/log/httpd/ssl_error_log

Answer 4

I had this problem because I was sent the content of an IIS-style .p7b file pasted into an email. It has "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" tags, just like .pem, and the content uses a similar looking base64 encoding. I converted it to a *.pem file like so:

openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

After that, Apache 2.2 was happy.

Answer 5

Recently during SSL installation in Apache 2.4, we faced the same error - 'asn1 encoding routines'

We had placed all the files correctly and pointed them correctly in the .conf file. After a day of troublshooting,we realized issue was not with the configuration after we got the certificate.

We created the Certificate Signing request (CSR) using our vendors inbuilt system. This allowed us to paste the key we created. The SSL certificate which vendor returned was supposed to map this CSR which was mapped to our private key. Apparently it did not match. The SSL certificate they provided does not map to the CSR.

Possible reason The Key to CSR transformation is wrong at vendor side due to unix line endings (\n instead of \r\n) / encoding (ANSI/UTF8) / expected new lines .

We created CSR ourselves using OpenSSL, and bypassed vendor CSR generation. It worked. So, in our case, creating the key and corresponding CSR using OpenSSL and using that to generate the public SSL worked.

OpenSSL Command

openssl req -new -sha256 -key ~/site.com.ssl/site.com.key -out ~/site.com.ssl/site.com.csr

Answer 6

In my case I had the certificates mixed: SSLCertificateFile had the private_key and SSLCertificateKeyFile had the cert.

Answer 7

Or you need before disable old password autoinput. Comment rule like:

#SSLPassPhraseDialog exec:/etc/ssl/passphrase-script

Answer 8

Leaving this here since it's the first google search for the error: This can also be caused when you install a new passphrase protected certificate and just reload the apache configuration (rather then restart apache completely). The reload itself will not throw any errors but it also will not ask for your passphrase and is unable to decrypt the certificate.

It can be resolved by restarting apache completely which will ask for the passphrase and allow you to decrypt.

Answer 9

Problem solved with recreate *.key file and copy-paste content again.

Answer 10

Another possible source of failure which causes this errror message is: Instead of the certificate file I linked to the certification request file. It's recognizable when you read the first line of the file: Either

-----BEGIN CERTIFICATE REQUEST-----

Or

-----BEGIN CERTIFICATE-----    

:-)